Privacy Policy

Last updated: March 31, 2026

1. Who We Are

Pass EPSO is operated by Cristina Sanchez Romero ("we", "us"), based in Luxembourg. We provide an AI-powered preparation platform for the EPSO AD5 Generalist competition at passepso.com.

2. Data We Collect

We collect the following personal data when you use our platform:

Account data: email address, username, display name, and password (stored securely using one-way hashing).
Usage data: practice session history, answers submitted, scores, time spent, and feature usage patterns.
Payment data: processed entirely by Stripe. We store only your Stripe customer ID. We never store, process, or have access to your card number, CVV, or billing details.
Technical data: IP address, browser type, device information, and referring URL via server logs.
Marketing data: UTM parameters and campaign identifiers (e.g. from ad clicks) stored in a browser cookie for attribution purposes.

3. Why We Collect It

To provide and improve the adaptive learning experience.
To process payments securely via Stripe.
To communicate service updates and transactional emails (e.g. purchase confirmations).
To send marketing emails only with your explicit consent, which you can withdraw at any time.
To maintain platform security and prevent abuse.
To measure the effectiveness of our advertising campaigns (server-side only, see Section 9).

4. Legal Basis (GDPR)

We process your data based on:

Contract performance (Art. 6(1)(b) GDPR): providing the service you signed up for, processing payments, managing your account.
Legitimate interest (Art. 6(1)(f) GDPR): platform security, fraud prevention, aggregated analytics to improve the service.
Consent (Art. 6(1)(a) GDPR): marketing emails, non-essential cookies, and conversion tracking. You may withdraw consent at any time.
Legal obligation (Art. 6(1)(c) GDPR): retention of payment records as required by Luxembourg tax law.

5. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the following processors, strictly for the purposes described:

Stripe (San Francisco, USA): payment processing. Stripe is PCI-DSS Level 1 certified. Data transfers to the US are covered by Standard Contractual Clauses. Stripe Privacy Policy.
Cloudflare (San Francisco, USA): content delivery network (CDN), DDoS protection, DNS, and static file hosting (Cloudflare R2). Cloudflare processes request metadata (IP address, headers) to route and protect traffic. Cloudflare Privacy Policy.
Umami (self-hosted): privacy-friendly web analytics. Umami does not use cookies and does not track users across websites. Data is stored on our own servers.

We have Data Processing Agreements (DPAs) in place with all third-party processors to ensure GDPR compliance. All international data transfers are protected by appropriate safeguards (Standard Contractual Clauses or adequacy decisions).

6. Data Retention

Account and practice data: retained for the lifetime of your account. You can request deletion at any time (see Section 8).
Payment records: retained for 7 years per Luxembourg tax law (Loi du 4 décembre 1967).
Server logs: retained for 90 days, then automatically deleted.
Analytics data (Umami): aggregated and anonymised; no personal identifiers are retained beyond 90 days.
Marketing cookies (pe_utm): expire automatically after 30 days.

7. Automated Processing

Our platform uses an adaptive learning algorithm (SM-2 spaced repetition) to personalise your practice experience. This algorithm analyses your answer patterns, accuracy, and response times to determine which questions to show you next and estimate your exam readiness. This processing is necessary for the performance of our contract with you (providing personalised exam preparation).

This automated processing does not produce legal effects or similarly significantly affect you. You may contact us to request human review of any automated decision.

AI and your data: Your practice data, answers, and personal information are never used to train artificial intelligence models, machine learning systems, or large language models, whether ours or those of third parties. Your data is used exclusively to provide the service to you.

8. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

Access (Art. 15): obtain a copy of all personal data we hold about you.
Rectification (Art. 16): correct inaccurate or incomplete data.
Erasure (Art. 17): request deletion of your data ("right to be forgotten"). We will erase your data without undue delay, except where retention is required by law.
Restriction (Art. 18): request that we limit how we process your data.
Data portability (Art. 20): receive your data in a structured, machine-readable format.
Objection (Art. 21): object to processing based on legitimate interest, including profiling.
Withdraw consent (Art. 7(3)): withdraw consent at any time (e.g. for marketing emails) without affecting the lawfulness of prior processing.

To exercise any of these rights, use the contact form (select "Privacy / Data Request") or write to [email protected]. We will respond within 30 days.

You also have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (CNPD), the Luxembourg data protection authority: cnpd.public.lu.

9. Cookies and Tracking

We use the following types of cookies and tracking technologies:

Essential cookies (no consent required): Django session cookie and CSRF token, necessary for authentication and security.
Analytics cookie (pe_utm): stores UTM campaign parameters from ad clicks for 30 days, to attribute signups to the correct marketing channel. Set only when you arrive via an advertising link.

Umami analytics: We use self-hosted Umami for web analytics. Umami is designed to be privacy-friendly and does not use cookies, does not collect personal data, and does not track users across websites.

Meta Pixel (browser-based): With your consent, we load the Meta Pixel (Facebook Pixel) in your browser to measure the effectiveness of our advertising campaigns on Facebook and Instagram. This may set cookies (e.g. _fbp) that Meta uses to attribute ad clicks to conversions. We also use the Meta Conversions API (server-side) alongside the pixel. You can manage your Meta ad preferences at facebook.com/ads/preferences.

Google Ads conversion tracking: With your consent, we load Google's gtag.js to measure conversions from Google Ads campaigns. This script may set cookies in your browser (e.g. _gcl_au) to attribute ad clicks to conversions. You can opt out of Google Ads personalisation at adssettings.google.com.

Cookie consent: We use our own cookie consent banner. You may withdraw or change your consent at any time by clicking "Cookie Preferences" in the footer, or by clearing your browser's local storage for passepso.com.

Do Not Track: We respect the Do Not Track (DNT) browser setting. If your browser sends a DNT signal, we disable non-essential analytics tracking.

10. Children's Privacy

Our service is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. International Data Transfers

Some of our processors (Stripe, Cloudflare) are based in the United States. Data transfers to countries outside the EEA are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top indicates the most recent revision. Material changes will be communicated via email to registered users. Continued use of the platform after changes constitutes acceptance.

13. Contact

For privacy requests, data subject access requests, or questions about this policy:

Use the contact form (select "Privacy / Data Request")
Email: [email protected]

Data controller: Cristina Sanchez Romero, Luxembourg.